You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Suresh Attanayake (JIRA)" <ji...@apache.org> on 2013/01/24 21:23:13 UTC

[jira] [Updated] (RAMPART-385) Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy

     [ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Suresh Attanayake updated RAMPART-385:
--------------------------------------

    Attachment: policy-1.2-UT.xml
    
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-385
>                 URL: https://issues.apache.org/jira/browse/RAMPART-385
>             Project: Rampart
>          Issue Type: Question
>         Environment: JBoss 5.1.2 
> Axis2 1.6.2 
> Rampart/Rahas 1.6.2
>            Reporter: Simon Jongsma
>         Attachments: policy-1.2-UT.xml, RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> 					<sp:SupportingTokens>
> 						<wsp:Policy>
> 							<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> 						        <wsp:Policy>
> 						         <sp:NoPassword/>
> 						        </wsp:Policy>
> 					      </sp:UsernameToken>		
>       				</wsp:Policy>
> 					</sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore 
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org